Category: Infomation Security

This week the CIA revealed that they belive it was Russia behind the NotPetya attacks that hit in June 2017. They used an attack vector know as a “Watering Hole”. This method infects a website in which they know their targets will be visiting.

In the case of NotPetya the website was a Ukrainian site that deployed updates for tax and accounting software. One the malware had been deployed it appeared to be a ransomware attack. But unlike WannaCry , NotPetya wiped and erased all information on the infected system. This means the attacker where not after money. It was a disruptive nuance attack that could have potently erased a large amount of sensitive data.

There has been increasing tension between Russia and Ukraine and considering that Russia has increased it level of aggression in recent months it comes as no surprise that they have begun lunching cyber attacks on this scale.

Kaspersky Lab’s recently published their threat predictions for 2018, this report is complied using research and information from their anti-virus software. And with 2017 have seen threats such as WannaCry and NotPetya, 2018 might have a lot in store for it.

Supply Chain Attacks

A supply chain attack is a method used by attackers to breach the security of a companies without directly attacking their target. This means that the find a software vendor or other form os supplier and attack them. Once breach they have the ability to deploy an infected update through the compromised companies to their target.

During 2017 Kaspersky highlights Shadowpad, CCleaner and ExPtr/NotPetya. Kaspersky predicts that the number of supply chain attacks to not only be detected but also at the point of attack to increase. While they have not published any statistics they have been able to analyze this method of attack and belive it will be a popular attack vector in 2018.

High-End Mobile Malware

Over the past decade smart phone usage has become part of every day life, and due to this attackers have moved away from the conventual platforms to deliver malware. Kasperky predicts that their will an increase in hard to detect and remove malware on mobile device. An example of this would be the Shedun Trojan that in many cases took reinstalling the devices operating system to remove.

They also go on to point out that due to iOS being locked down and not allowing users the ability to scan the system, that users of Android are in a better position due to the being anti-virus solutions available on android. Although this could be due to their Android product, it gives food for thought that 2018 might have a lot in store for iOS in regard to security.

BeEF-like compromises with web profiling

The report also highlights that due to improvements in security and a great level of awareness, operating systems are getting much harder to find vulnerabilities in. The price of a zero-day exploits can be anywhere up to $1,500,000 for a remote iOS jailbreak with persistence attacks. With prices like this there is a hight chance that 2018 will see teams of both security researcher and also hacker hunting for these zero-day exploits.

UEFI and Bios Attacks

They have also predicted that 2018 will see a lot more UEFI-based malware. This attack vector can be rather dangerous as UEFI can allow for executables to be installed before the operating system has even booted. This can result in malware being deployed and installed before the systems anti-virus has been installed. As a result they are under the impress than there will be much more of this style of malware detected in 2018.

Destructive Attacks

According to the report there will be a greater amount of destructive attacks detected. The malware or wipers can remain dormant and infect numerous systems just as a normal worm would. But when activated the virus will then erase all of the data on the system. It is an effective and devastating method of cyber warfare resulting in their prediction of a raise in 2018.

Subversion of Cryptography

In todays age staying anonymous online is in the back of many people’s minds, after Snowden leaked documents highlighting mass surveillance. Kasbersky reports that a number of backdoor’s have been found in VPN networks. It also notes that the NSA appears to be behind these backdoor’s after paying companies to put them in. While in a lot of case this might not seem all that worrying, but their prediction of 2018 seeing more vulnerabilities of this nature is rather worrying.

Router And Modem Hacks

During 2017 there was a massive vulnerability found in a large number of routers, the report also highlights how they belive we will see a lot more of these styles of attacks through 2018. They go on to explain that in some large-scale operations the router and modems will remain unpatched and un-watched for a long period of time opening them up all sorts of attacks.

Kaspersky Lab’s have published one of the earliest 2018 threat predicitions, and we will have to see how some of the other big security vendor think 2018 is going to go in terms of cyber security.

In a world when daily internet access is part and parcel of life, it is hard to avoid the many threats that are out there lurking in the ‘wild’. And with so many type of malware out their its hard to know the difference.
Each type of malware has its own purpose and threats associated with it, while hopefully most people us an Anti-Virus program there are still a number whom don’t.

A Trojan virus lends its name from the greek myth of the trojan Horse, while these days the delivery package is not a giant wooden horse it does has as devastating of an effect. The premise of a Trojan virus is to alow a remote user or attacker access to your system, or allowing them the ability to make changes on the system.

There are 14 Main types of trojans, each with very similar fundamentals but their over all goal can differ. When a system is infected with a Trojan an attacker can execute actions without the owner of the systems permissions. And in many cases without them even knowing.

Although initially it was mainly windows PC’s affected by Trojan’s in recent years the number on Android devices has increased at an exponential rate. Due to the unauthorised applications that can be installed on Android devices has opened them up to these type of attacks.

Notable Trojan Viruses

Shedun

The Shedun virus come from a family of malware, its primary platform is Android devices and was originally discovered in 2015. The virus would then redesign legitimately installed applications and flood them with ads. It is very difficult to remove and in many cases cannot be removed unless the device is rooted and them flash with a custom ROM.

Blackhole exploit Kit

The Blackhole exploit was one of the most effective and wide-spread viruses during 2012. Sophos stated that 29% of all web threats were caused by the Blackhole exploit kit. When this virus was active on a system it recorded huge amounts of data, including the victims county, browser type and the operating system they where using.

Tiny Banker Trojan

The Tiny Banker Trojan’s target of choice was financial organisations websites. The attack vector in use is a man-in-the-browser. This means that it intercepts the data between the user and the web server.
The Tiny Banker Trojan is based on the Banker Trojan but has been reduced in size and been made more powerful.
Once the Virus has been deployed on a site any information such as login details or bank details can be stolen and then used for malicious or illegal purposes.

Gh0st RAT

The Gh0st RAT targeted Windows systems as was able to infect a number of very sensitive systems. The RAT or Remote Access Terminal also for the attacker to take complete control of the infected system. This can be used to perform keylogging activity, provide recording of webcams and also displaye user input to name a few.

MiniPanzer and MegaPanzer

MiniPanzer and MegaPanzer are variants from Bundestrojaner (German for state-sponcered Trojan Horse) It was designed for the swiss government and then later used to capture information.

As long as your system has a anti-virus application and your careful about how you use the internet, your changes of being infected by a Trojan is reduced massively. And with new malware appearing everyday there could be numerous Trojan’s out their in the wild that are yet to be detected by anti-virus companies and then added to their database.

And in many cases you may be unaware that your system has been infected as the attacker could simply be collecting data on you to used at a later date.

PLA Unit 61389 are the chinese cyber-warfare unit, although there is very little published about their clandestine operations. In a county as secretive as China, it is to be expected that they would keep this group relativity secretive.

In 2013 an american security firm Mandiant released a report highlighting PLA Unit 61398, and suspects them for launching attacks on the US. Their targets are not only governmental and federal organisations, but also private sector businesses.

The types of attacks carried out by this group range from advanced persistent threats to the deployment of malware. It is hard to find an accurate figure on the numbers of attacks carried out by this group, as they wish to remain secretive. It is understandable that China’s offensive cyber unit does not want to take credit for every attack they have carried out.

That being said they have been accused of a number of attacks over the years. There is speculation around the groups involvement in Operation Shady Rat, this attack is said to have affected more than 70 organisations including the United Nations and US Government.
There are also other reports that suggest that the number of organisations that had been attacked by this group is in the thousands. Through further investigation it appeared as if most of these attack are carried out during working hours in Beijing’s time zone, although this is not concrete evidence it allows for further speculation of the attackers location. And due to the sum what regimented hours these attackers are carried out in, lead me to believe that although it could be a well structure group of hackers it is much more likely that this organisation if official or governmental.

Will anymore of the activities carried out by this group hit the head lines or will it all mealy remain speculation and accusations?